Update vulnerable Rollup dependency to patch high severity

[xmajox]

Is there an existing issue for this?

• I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
• I have reviewed the documentation https://docs.sentry.io/
• I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases

How do you use Sentry?

Sentry Saas (sentry.io)

Which SDK are you using?

@sentry/nextjs

SDK Version

7.119.1

Framework Version

No response

Link to Sentry event

No response

Reproduction Example/SDK Setup

Related to: GHSA-gcx4-mw62-g8wm

sentry/nextjs is currently relying on a vulnerable version of rollup 4.18.0, which has since been patched. Dependabot created the PR for it here, but the CI failed due to a minor timeout.

Would be great if you could merge this PR and backport the fix to the 7.x branch as this high severity vulnerability has been resolved for a few weeks already and is actually becoming a problem in terms of compliance.

Steps to Reproduce

Current rollup version: 4.18.0
Simply check the lockfiles

Expected Result

• sentry/javascript has no dependency of rollup < 4.22.4
• fix is backported to 7.x branch

Actual Result

Nothing yet...

[lforst]

Hi, we already released an update with a bumped rollup version that is not vulnerable: https://github.com/getsentry/sentry-javascript/releases/tag/8.32.0

[lforst]

Oh sorry this is about v7

[xmajox]

Yes, sorry got a bit confused with all the numbers.

This is indeed about backporting the fix to v7, which refers to bumping rollup from 2.78.0 to 2.79.2

[lforst]

@xmajox We just released version 7.119.2 including a bumped rollup version. Feel free to reach out if there are any more problems.